Drupal session cookie attributes

We are often asked for help troubleshooting attributes of Drupal's sessions cookies. The good news is that Drupal generally does a good job on this front, and it's seldom necessary to alter the default settings.

What are the HttpOnly and Secure attributes on (session) cookies?

A secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

To help mitigate cross-site scripting (X) attacks, HttpOnly cookies are inaccessible to JavaScript... they are only sent to the server.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#the_set-cookie_and_cookie_headers

Drupal always sets the HttpOnly attribute on its session cookies

D7: https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L693
D8: https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/DrupalKernel.php#L999
D9: https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/Core/DrupalKernel.php#L995

There should be no need to alter this configuration, e.g. in settings.php

Drupal will set the Secure attribute on session cookies when the site is being accessed via https

D7: https://git.drupalcode.org/project/drupal/blob/7.x/includes/bootstrap.inc#L821
D8: https://git.drupalcode.org/project/drupal/blob/8.8.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L37
D9: https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/Core/Session/SessionConfiguration.php#L45

Therefore, if the site is being accessed via https session cookies will typically have both the HttpOnly and Secure attribute set.

Common pitfalls

When testing session cookie attributes, accessing the site over plain http will result in the secure attribute not being set on the session cookie. In addition, browsers will not send a Secure cookie with a (non-secure) plain http request.

Examining the PHP cookie settings in php.ini or phpinfo() will not reflect the settings Drupal uses as it manages these settings for itself as per the code examples above.

Recommended testing approach

It's best to use a browser's developer tools to examine the attributes of Drupal's session cookie once you have logged in to the site (over https if you're hoping to see the Secure attribute set)

Warning: "mixed mode"

Versions of Drupal before 8 had an option sometimes referred to as "mixed mode" for sessions whereby there are two sessions cookies, one for secure and one for non-secure. In this case the non-secure cookie will not have the secure attribute set.

This option doesn't have a very descriptive name in settings:

settings.php:    $conf['https'] = 1;

...which sometimes leads to confusion; it's not obvious what putting this in settings.php will actually do.

See the docs on mixed mode. This option was removed in Drupal 8, and there's seldom a good reason to use it.